Security News > 2023 > May > Emby shuts down user media servers hacked in recent attack

Emby shuts down user media servers hacked in recent attack
2023-05-26 14:56

Emby says it remotely shut down an undisclosed number of user-hosted media server instances that were recently hacked by exploiting a previously known vulnerability and an insecure admin account configuration.

To trick the servers into granting them access and gain admin servers to the vulnerable servers even though they were attempting to log in from outside the LAN, the threat actors exploited a flaw described by Emby as a "Proxy header vulnerability," known since at least February 2020 and recently patched in the beta channel.

The hackers used their access to backdoor the compromised Emby instances by installing a malicious plugin that harvests the credentials of all users signing into the hacked servers.

"After careful analysis and evaluation of possible strategies for mitigation, the Emby team was able to push out an update to Emby Server instances which is able to detect the plugin in question and prevents it from being loaded," Emby said.

As Emby further explained, shutting down the affected servers was a precautionary measure aiming to disable the malicious plugin, as well as to mitigate the immediate escalation of the situation and draw the admins' attention to address the issue directly.

While Emby didn't reveal how many servers were impacted in the attack, Emby developer softworkz added a new community post yesterday titled "How we took down a BotNet of 1200 hacked Emby Servers within 60 seconds."

News URL